Evidence of meeting #23 for Access to Information, Privacy and Ethics in the 39th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was pipeda.
A recording is available from Parliament.
4:10 p.m.
Liberal
Sukh Dhaliwal Liberal Newton—North Delta, BC
Ms. Siegel, you presented that PIPEDA is working at this point in time. Are you aware of any privacy breaches that might have occurred in the last three or four years since it came into effect?
4:10 p.m.
Lawyer, Information Technology Association of Canada
Am I aware of any privacy breaches?
4:10 p.m.
Lawyer, Information Technology Association of Canada
Certainly I come across issues with respect to privacy breaches often. The question is, are these breaches serious, and what do companies do about them? In fact, every organization that I've ever dealt with has always approached the Privacy Commissioner for guidance on what to do with their privacy breach.
In many cases, the privacy breaches are so insignificant—for example, an e-mail address. I'd say 99.9% of any of the privacy breaches I've encountered are accidental releases of someone's e-mail address. It's as simple as—and I'm sure everyone at this table has experienced it—sending that in the header of an e-mail and exposing the other people you're sending the e-mail to. That might be considered by some to be a privacy breach, and that's the reality of many of the privacy breaches.
With respect to consent issues and are consent issues and privacy breaches somehow tied together, PIPEDA goes into great, great detail with respect to what is a reasonable form of consent. The schedule to PIPEDA provides all sorts of examples with respect to what's a reasonable form of consent. Certainly it has become commonplace, in my experience. Every single company that I've ever dealt with puts together different standards of consent, based on the sensitivity of the information.
Organizations that are collecting sensitive personal information, such as financial data, almost always exclusively use express forms of consent; whereas if consent is just for purposes of secondary marketing, sending you literature in the mail about the organization or about maybe a sale going on down the street that you might be interested in...most individuals are very happy with implied forms of consent, and that's working quite well under PIPEDA. The Privacy Commissioner herself has recognized this in a whole string of decisions going back a few years now.
Really, the issue of consent is almost a settled piece of guidance within PIPEDA. Virtually no organization or no individual really gets too riled up about consent these days.
4:15 p.m.
Liberal
Sukh Dhaliwal Liberal Newton—North Delta, BC
Mr. Bowman said that certain amendments can be made to PIPEDA.
What is your view? Are you satisfied that it's fully working? Is there anything you see that can be modified?
4:15 p.m.
Lawyer, Information Technology Association of Canada
I think it depends on the perspective you're coming from.
With respect to transborder data flow, ITAC members don't believe that amendments are necessary under PIPEDA. The Privacy Commissioner, in two recent decisions--and you're probably familiar with them already--has carefully articulated guidelines with respect to what you need to do in the case of a transborder data flow. All companies now routinely use non-disclosure agreements and contracts.
If you look back in history at why organizations use contracts when they enter into any outsourcing arrangement, whether it's local or transborder, it's because the common law of agency and principle requires you to do that. You don't really need legislation to put that into practice; the law has already done that for you.
4:15 p.m.
President and Chief Executive Officer, Information Technology Association of Canada
If I may add something, when I talked earlier about being careful not to amend the law if it's not really necessary, as I heard from the Canadian Bar Association, there's one category of information for investigations pertaining to litigation. We have no views on that. That might well be required. I know if you change the law there, you're not going to change people's day-to-day lives such that they're now going to have to interpret things differently. It's going to be law firms doing interpretations.
On the lack of order-making power, I think creating a separate tribunal would really be adding another heavy layer. It would create another government institution with our taxpayer dollars and another place complainants would have to go to. I'd be very leery about that.
On the question of cross-border data flow, British Columbia tried to legislate that. It caused an awful mess. They were going to grind the health care system to a halt. They tried to make significant amendments to address it. The Privacy Commissioner has issued decisions that give very clear guidelines as to how you have to treat that. And it's the same with consent. The appendix talks about “knowledge and consent” in 4.3.2, meaningful consent, and in 4.3.5, “reasonable expectations of the individual”.
I think we're not talking about having to change the law; we're talking about how you interpret the law reasonably in a given circumstance.
4:15 p.m.
Liberal
4:15 p.m.
Bloc
Carole Lavallée Bloc Saint-Bruno—Saint-Hubert, QC
Thank you very much, Mr. Chair.
My first question is for the representatives from the Canadian Bar Association. Is there a law other than the Privacy Act that similarly protects the identity of the respondents, those who break the law? Is there another law like that?
4:15 p.m.
Chair, National Privacy and Access Law Section, Canadian Bar Association
Just so I'm clear on the question, are you asking if there is another law that protects non-complying organizations or individuals?
4:15 p.m.
Bloc
Carole Lavallée Bloc Saint-Bruno—Saint-Hubert, QC
No. I am talking about identity.
The Privacy Act protects the identity of the respondents, in other words, the names of the companies violating the law. Is there, in Canada or in certain provinces, other laws that also protect the identity of the respondents?
4:15 p.m.
President and Chief Executive Officer, Information Technology Association of Canada
I can try to give you an answer, Mrs. Lavalée.
The law we are talking about does not prevent the disclosure of identity. The commissioner decides on a case-by-case basis whether this is reasonable or not.
4:20 p.m.
Bloc
Carole Lavallée Bloc Saint-Bruno—Saint-Hubert, QC
You are right to make this clarification.
I want to know whether there are other laws that protect the name of the infringing companies in this way.
4:20 p.m.
Chair, National Privacy and Access Law Section, Canadian Bar Association
In your question, do you mean that do not permit the various commissioners in the provinces to disclose the identity of infringing organizations? I'm not aware of any provincial statutes that prohibit the respective Privacy Commissioner from disclosing the identity of an infringing organization.
4:20 p.m.
Bloc
Carole Lavallée Bloc Saint-Bruno—Saint-Hubert, QC
I did not think I was asking such a complicated question. I will re-word it.
Under the law, the commissioner can, or cannot, disclose the identity of the respondents. The fact remains that identity is not automatically disclosed. For example, if I am arrested for impaired driving, my name will surely appear in the media somewhere. However, no one decides whether my identity should be disclosed or not.
I would like to know whether there are other laws under which the identity of the respondents is not automatically made public. Is that a better way of phrasing my question?
4:20 p.m.
Chair, National Privacy and Access Law Section, Canadian Bar Association
Off the top of my head, I'm not actually aware of any.
4:20 p.m.
Bloc
Carole Lavallée Bloc Saint-Bruno—Saint-Hubert, QC
Thank you very much. That was a good answer. There was no wrong answer. In fact, I wanted to know what you thought. This helps me a great deal, despite what you might think.
Spokespeople from the Department of Industry appeared before the committee as witnesses and they informed us that the Privacy Act was the object of a constitutional dispute in the Quebec Court of Appeal.
Are you aware of this initiative and these issues? Could you comment on that?
4:20 p.m.
Chair, National Privacy and Access Law Section, Canadian Bar Association
No, I'm afraid I'm not in a position to speak about those issues. Like other lawyers, I'm waiting to see how the challenge unfolds. In terms of the issues that are at play, I certainly wouldn't be in a position. Nor has our section put its mind to analyzing that for the purposes of the PIPEDA review.
4:20 p.m.
Liberal
4:20 p.m.
Canada Research Chair in Ethics, Law and Technology, University of Ottawa, As an Individual
I would also disclaim any particular expertise on the issue. The issue, of course, is a constitutional issue, so it has to do in part with the fact that PIPEDA, as you've heard from other witnesses who've appeared before you, tries to achieve ends that can be understood as falling within both federal jurisdiction as well as provincial jurisdiction.
I actually don't have any particular comments that I think would enlighten this committee. Therefore, I'd rather not obfuscate by making my opinions known.
4:20 p.m.
President and Chief Executive Officer, Information Technology Association of Canada
It's not an issue that we have addressed as an association, so we have no expertise to bring.
4:20 p.m.
Bloc
Carole Lavallée Bloc Saint-Bruno—Saint-Hubert, QC
I have another question for the representatives from the Canadian Bar Association and perhaps for anyone else who wants to comment.
The privacy commissioner has talked about the difficulties she has encountered when, during investigations, she has wanted to access documents that were protected by solicitor-client privilege. She said this hindered her ability to investigate.
Do you have an opinion on this?
4:20 p.m.
Chair, National Privacy and Access Law Section, Canadian Bar Association
We certainly heard her remarks to this committee, but specifically addressing that issue, again, we haven't put our minds to it. What I can do is perhaps redirect this to the recommendations that we've put forward in terms of the overall functioning of the office right now. But directly on that point, I apologize again that we haven't put our minds directly to it.
4:20 p.m.
Canada Research Chair in Ethics, Law and Technology, University of Ottawa, As an Individual
I'd be happy to comment on that.
I was here on the day when Madame Commissioner was making her submissions to this committee. I would, quite frankly, be quite surprised if somehow solicitor–client privilege operated differently for the commissioner in terms of her investigations than it would for other investigatory bodies. From what was going on that day, I was quite unclear exactly on what it was that was being sought. If there is solicitor–client privilege, and if that privilege is such as to preclude other investigatory bodies from getting that evidence, it's not clear to me why the Privacy Commissioner should have that over and above other investigatory bodies.
